SymfonyCon Disneyland Paris 2021
Dec 2–3, 2021
SymfonyWorld Online 2020
Dec 3–4, 2020
SymfonyLive Berlin 2020
CANCELED
SymfonyLive Warszawa 2020
CANCELED
SymfonyLive Paris 2020
Sep 23–24, 2020
  1. Home
  2. Documentation
  3. Security
  4. How to Secure any Service or Method in your Application
WARNING: You are browsing the documentation for Symfony 4.0 which is not maintained anymore. Consider upgrading your projects to Symfony 5.1.

How to Secure any Service or Method in your Application

4.0 version
Maintained
3.4 4.4 5.1 current 5.2 master
Unmaintained
2.7 2.8 3.0 3.1 3.2 3.3 4.1 4.2 4.3 5.0

How to Secure any Service or Method in your Application

In the security article, you can see how to secure a controller by requesting the Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface service from the Service Container and checking the current user’s role:

// ...
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;

public function hello(AuthorizationCheckerInterface $authChecker)
{
    if (!$authChecker->isGranted('ROLE_ADMIN')) {
        throw new AccessDeniedException();
    }

    // ...
}

You can also secure any service by injecting the authorization checker service into it. For a general introduction to injecting dependencies into services see the Service Container article. For example, suppose you have a NewsletterManager class that sends out emails and you want to restrict its use to only users who have some ROLE_NEWSLETTER_ADMIN role. Before you add security, the class looks something like this:

// src/Newsletter/NewsletterManager.php
namespace App\Newsletter;

class NewsletterManager
{
    public function sendNewsletter()
    {
        // ... where you actually do the work
    }

    // ...
}

Your goal is to check the user’s role when the sendNewsletter() method is called. The first step towards this is to inject the security.helper service using the Symfony\Component\Security\Core\Security class:

// src/Newsletter/NewsletterManager.php

// ...
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\Security;

class NewsletterManager
{
    protected $security;

    public function __construct(Security $security)
    {
        $this->security = $security;
    }

    public function sendNewsletter()
    {
        if (!$this->security->isGranted('ROLE_NEWSLETTER_ADMIN')) {
            throw new AccessDeniedException();
        }

        // ...
    }

    // ...
}

If you’re using the default services.yaml configuration, Symfony will automatically pass the security.helper to your service thanks to autowiring and the Security type-hint.

If the current user does not have the ROLE_NEWSLETTER_ADMIN, they will be prompted to log in.

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.